I’ve done a little research but curious about first hand experience.
I’ve got a little home server that is full disk encrypted with LUKS (+LVM, of course). It’s headless (no display, no keyboard, etc) and just lives attached to the back of my desk, out of the way.
If it gets rebooted due to a power outage, I can plug in a keyboard, wait long enough for it to get to the LUKS password prompt, enter password, hit enter, and assume it worked if I see the disk activity light blinking. Worst case scenario, I can move it to a monitor and plug it in to get display too.
Because lazy, I’d prefer to be able to enter the decrypt password remotely. “Dropbear” seems to be a common suggestion but I haven’t tried it yet.
So, asking for your experience or recommendations.
I’ll start. Recommendation #1 - get a UPS : D … But besides that.
Addendum: either way, I currently need to be home to do this because I access it remotely via tailscale along with my desktop. Since both are full disk encrypted, neither will boot to the point of starting tailscale without intervention. But, I might repurpose a nonencrypted RPi with SSHd to act as a “auto restarts with tailscale so I can SSH to it, then SSH to server to enter the LUKS password” jump point.
asking out of curiousity: what benefits does encryption have here?
as long the server runs everything is decrypted right? so you are encrypting for the case when someone actively steals your hardware?
edit: stealing as in taking away. but this would mean accessing during runtime is nonetheless possible in a decrypted way?
In addition to drives being safer to replace and sell, encryption at rest should also protect against theft. So the scenario being someone taking the server or its drives. At least for me encrypting the drives gives a bit more peace of mind seeing as credentials for various accounts aren’t easily retrieved from the disks.
But yeah, this does not protect from data being read at runtime
luks will also prevent or uphold the encryption if e.g. the power is pulled?
+this means that if someone breaks in, cuts the cables during running decrypted the data is still safe?
Yes, exactly
I’ve recently upgraded my hard drives used for storage. and because I ain’t made of money, I wanted to sell the old drives.
shredding those things took ages (4 TB drives). lesson learned, new drives are btrfs + LUKS that gets unlocked via key file. so when the time comes to sell those, I won’t bother with shredding, just sell them as is.you mean that even if the next user formats it you make sure that leftovers/artefacts cannot be read right?